ICO issues online data collection “Good Practice Note”

Cookies, collecting children’s data and overseas data transfer are just some of the topics covered in a new practice note recently published by the UK’s personal data regulator. Stephen Groom focuses on some of the highlights.

Topic: Privacy

Who: the Information Commissioner's Office

Where: Wilmslow, Cheshire

When: June 2007

What happened:

The UK data privacy watchdog the Information Commissioner's Office, published its latest "Good Practice Note." It focuses on "Collecting personal information using websites." It can be found here.

Note is in Q&A format and asks and answers 16 practical questions on the topic in hand.

The first question deals with transparency when personal data is collected. It confirms that in order to process such data fairly and lawfully and thus comply with the first data protection principle, those collecting personal data on websites must always ensure that individuals are aware of:

the identity of the person or organisation responsible for operating the website and anyone else who collects personal information through the website, for instance a third party placing banner ads on the site or a secure payment system provider;

what the information will be processed for; and

any other disclosure needed to ensure fairness including stating that information will be disclosed to third parties if this is the case, including other companies within the same group.

The note goes on to make it clear that because site visitors may not always enter the site via the homepage, these disclosures must be made at any point on the site where personal data is captured.

Is "Click here to see our privacy statement" enough?

Will it be enough to state, wherever data is requested, "click here to see our privacy statement."

The ICO says "No."

Wherever personal data is collected, it says, there needs to be a "basic description of the site's use of that information, even when more information is provided elsewhere, for instance by way of a Privacy Policy.

This is the so called "layered notice" approach. Where there is not room for more disclosures (an interesting condition for the ICO to impose as online there is always more space), the first will be at the point of collection and give usage information "in the broadest terms," the second will be a condensed notice with subheadings, the third will be the full notice. Interesting but just how practical is this online?

Cookies and collecting personal information

Here the ICO notes that by using cookies, operators can develop and use profiles on site visitors without collecting traditional identifiers. Nevertheless, the ICO goes on, in an online context the information that identifies an individual is that which uniquely locates him in the world, by distinguishing him from others.

The ICO's view, therefore, is that if profiles based on information collected by cookies are linked to other information which uniquely identifies the individual, these profiles are "personal information" and covered by the Data Protection Act 1998.

The note goes on to point out that under separate regulations, the Privacy and Electronic Communications (EC Directive) Regulations 2003, wherever cookies or other tracking systems are deployed to collect information, an opportunity must be provided to refuse their continued use. If this is done in a Privacy Statement, the Note advises that a reference to the use of tracking technology must be clearly displayed.

What about IP addresses?

In terms of use of IP addresses to profile site visitors, the Note feels that where "dynamic" IP addresses are used, which change each time a user connects to the ISP, it is unlikely such activity would require specific disclosures. This will not be the case, however, where the IP address is static.

Collecting information from third parties

Here the ICO reminds us that where a person's data is not collected from that person, there is still a duty to ensure that subsequent processing is fair. This may involve contacting the person as soon as possible, and if there is any plan to disclose that data to third parties, at the latest at the time when the disclosure takes place, and telling them that you hold their data.

This does not apply if such contacting would involve "disproportionate effort", but since making contact online is unlikely to be difficult, this may be tricky to swing.

Stepping back for a moment, just how much this guidance is followed in the real world is distinctly questionable but the position taken by the ICO here is closely linked to wording in the statute so should be taken seriously.

Children?

The Note reminds us that although there is no provision in the Data Protection Act 1998 stating at what age it will be acceptable and fair to collect data from a child, the standard adopted by the government creation TrustUK (www.trust.org.uk) is that personal data relating to children under 12 should not be collected online without obtaining the verifiable consent of a parent or guardian.

What about collecting personal data on foreign sites?

The Note points out that even if a business collecting personal information is not based in the UK, the Data Protection Act 1998 may still apply. This will be the case if for example:

equipment in the UK is used to process the information;

cookies are put on the computers of UK internet users to create a profile of their online behaviour;

the site is hosted on a UK server; or

another organisation is used to process information collected through the site and this organisation is based in the UK

Why this matters:

This Guidance Note is clear, concise and practical and a useful addition to the ICO's library of guidance. It should always be remembered, however, when wrestling for instance with the concept of not one, but three layered privacy notices, that the ICO's advice is not law and the ultimate decision as to whether UK data protection law has been breached will be for the courts.